Email or username:

Password:

Forgot your password?
scy's posts Post Back to profile
scy

Eek. Apparently liblzma (part of the xz package) has a backdoor in versions 5.6.0 and 5.6.1, causing SSH to be compromised.

openwall.com/lists/oss-securit

This might even have been done on purpose by the upstream devs.

Developing story, please take with a grain of salt.

The 5.6 versions are somewhat recent, depending on how bleeding edge your distro is you might not be affected.

#liblzma #xz #lzma #backdoor #ITsecurity #OpenSSH #SSH

29 March at 16:29 | Open on chaos.social
7 comments
scy

Red Hat released an urgent security alert for Fedora 41 and Rawhide users:

> PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA 41 OR FEDORA RAWHIDE INSTANCES for work or personal activity.

redhat.com/en/blog/urgent-secu

> Although Fedora 40 beta contained the 5.6 version of xz in an update, the build environment prevents the injection from correctly occurring, and has not been shown to be compromised. Fedora 40 has now reverted to the 5.4.x versions of xz.

#RedHat #Fedora #FedoraRawhide #Fedora41

Red Hat released an urgent security alert for Fedora 41 and Rawhide users:

> PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA 41 OR FEDORA RAWHIDE INSTANCES for work or personal activity.

redhat.com/en/blog/urgent-secu

> Although Fedora 40 beta contained the 5.6 version of xz in an update, the build environment prevents the injection from correctly occurring, and has not been shown to be compromised. Fedora 40 has now reverted to the 5.4.x versions of xz.
29 March at 16:55 | Open on chaos.social
scy

Red Hatter rwmj on news.ycombinator.com/item?id=3:

> the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of it's "great new features". We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor […]

> He has been part of the xz project for 2 years, adding all sorts of binary test files

> with this level of sophistication I would be suspicious of even older versions of xz

Red Hatter rwmj on news.ycombinator.com/item?id=3:

> the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of it's "great new features". We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor […]

29 March at 18:24 | Open on chaos.social
scy

Also, PSA for people who are immediately triggered by the word "systemd", partially blaming it for the issue:

No.

Some distros patch OpenSSH to link to libsystemd to call freedesktop.org/software/syste to notify systemd about startup completion.

libsystemd then links to the backdoored lzma for other things.

But OpenSSH could've implemented the notification on its own. It's literally "send a line into a socket", only a few lines of code, even in C.

chaos.social/@smrqdt/112180465
news.ycombinator.com/item?id=3

Also, PSA for people who are immediately triggered by the word "systemd", partially blaming it for the issue:

No.

Some distros patch OpenSSH to link to libsystemd to call freedesktop.org/software/syste to notify systemd about startup completion.

libsystemd then links to the backdoored lzma for other things.

29 March at 18:34 | Open on chaos.social
scy

There is now a GitHub issue in the xz repository inquiring about whether this has been intentional or not.

github.com/tukaani-project/xz/

29 March at 18:37 | Open on chaos.social
scy
scy

I'm not saying that it looks like someone has specifically targeted xz and played the long game by helping out a maintainer that was overworked and suffered from mental health issues

but it does look like someone has specifically targeted xz and played the long game by helping out a maintainer that was overworked and suffered from mental health issues

mastodon.social/@glyph/1121809

29 March at 21:41 | Open on chaos.social
scy

Meanwhile, #Debian is considering rolling #xz back not only to the point before the backdoor was added, but to where the person who _wrote_ the backdoor hadn't contributed any code to xz yet.

Which means considering creating patches to fix ABI breakage such a rollback would cause.

bugs.debian.org/cgi-bin/bugrep

For all the trash talk Debian gets for being "pedantic" and slow to change: They put in the _work_ to do things _right_. I respect that.

via hachyderm.io/@joeyh/1121815129

(Edit: English is hard.)

Meanwhile, #Debian is considering rolling #xz back not only to the point before the backdoor was added, but to where the person who _wrote_ the backdoor hadn't contributed any code to xz yet.

Which means considering creating patches to fix ABI breakage such a rollback would cause.

bugs.debian.org/cgi-bin/bugrep

30 March at 1:18 | Open on chaos.social
Go Up